CN110838912A - Key management method, device, equipment and computer medium based on block chain - Google Patents

Key management method, device, equipment and computer medium based on block chain Download PDF

Info

Publication number
CN110838912A
CN110838912A CN201911128865.5A CN201911128865A CN110838912A CN 110838912 A CN110838912 A CN 110838912A CN 201911128865 A CN201911128865 A CN 201911128865A CN 110838912 A CN110838912 A CN 110838912A
Authority
CN
China
Prior art keywords
key
mnemonic
blockchain
sub
secret
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911128865.5A
Other languages
Chinese (zh)
Other versions
CN110838912B (en
Inventor
廖飞强
严强
李昊轩
李辉忠
张开翔
范瑞彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201911128865.5A priority Critical patent/CN110838912B/en
Publication of CN110838912A publication Critical patent/CN110838912A/en
Application granted granted Critical
Publication of CN110838912B publication Critical patent/CN110838912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及金融科技(Fintech)技术领域,本发明公开了一种基于区块链的密钥管理方法,该方法包括:在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;按照预设助记词生成算法生成所述密钥对应的助记词;根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。本发明还公开了一种基于区块链的密钥管理装置、设备及计算机介质。本发明实现了密钥的有效管理。

Figure 201911128865

The invention relates to the technical field of financial technology (Fintech), and the invention discloses a blockchain-based key management method. The method includes: when a key escrow request is received, obtaining a key corresponding to the key escrow request. key, and the escrow information of the key; generate the mnemonic corresponding to the key according to the preset mnemonic generation algorithm; process the mnemonic according to the key escrow information to obtain the mnemonic and send the sub-secret to the blockchain node corresponding to the key escrow information; when receiving the key acquisition request, send the acquisition request to the blockchain node, and receive the The block chain node is based on the sub-secret fed back by the acquisition request; the mnemonic is recovered according to the sub-secret, and the key is recovered based on the mnemonic. The invention also discloses a block chain-based key management device, equipment and computer medium. The present invention realizes effective management of keys.

Figure 201911128865

Description

基于区块链的密钥管理方法、装置、设备及计算机介质Blockchain-based key management method, device, device and computer medium

技术领域technical field

本发明涉及金融科技(Fintech)技术领域,尤其涉及基于区块链的密钥管理方法、装置、设备及计算机介质。The present invention relates to the technical field of financial technology (Fintech), and in particular, to a blockchain-based key management method, device, equipment and computer medium.

背景技术Background technique

随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技(Fintech)转变,但由于金融行业的安全性、实时性要求,也对技术提出的更高的要求。With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually transforming into financial technology (Fintech). requirements.

在区块链网络中发送交易,为了保护交易参与方的交易信息,需要每次更改发送者的账户地址。随机密钥管理可以随机产生大量公私钥对。每次发送一笔交易由一个新的私钥签名发送,每个私钥均需要用户保存,丢失私钥将导致失去对应的账户所有权和使用权,实际使用过程中,用户难以管理大量私钥,但是丢失私钥将导致失去对应的账户所有权和使用权,因此,当前将私钥装换为助记词进行管理,使得用户不用管理大量的私钥,只需要保存一个不变的助记词,但同时引入了新的问题,即助记词如果丢失,将丢失由该助记词派生的所有私钥对应账户的所有权和使用权。When sending a transaction in a blockchain network, in order to protect the transaction information of the transaction participants, it is necessary to change the sender's account address every time. Random key management can randomly generate a large number of public and private key pairs. Each time a transaction is sent, a new private key is signed and sent, and each private key needs to be saved by the user. Losing the private key will result in the loss of the corresponding account ownership and usage rights. In actual use, it is difficult for users to manage a large number of private keys. However, the loss of the private key will lead to the loss of the corresponding account ownership and use rights. Therefore, the current private key is replaced with a mnemonic for management, so that users do not need to manage a large number of private keys, but only need to save an unchanged mnemonic. But at the same time, a new problem is introduced, that is, if the mnemonic is lost, the ownership and usage rights of all the private keys derived from the mnemonic will be lost.

发明内容SUMMARY OF THE INVENTION

本发明的主要目的在于提出一种基于区块链的密钥管理方法、装置、设备及计算机介质,旨在解决当前区块链领域密钥丢失难以恢复的技术问题。The main purpose of the present invention is to propose a blockchain-based key management method, device, equipment and computer medium, aiming to solve the technical problem that the key is lost and difficult to recover in the current blockchain field.

为实现上述目的,本发明提供一种基于区块链的密钥管理方法,所述基于区块链的密钥管理方法包括如下步骤:In order to achieve the above object, the present invention provides a blockchain-based key management method, the blockchain-based key management method includes the following steps:

在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;When receiving a key escrow request, obtain a key corresponding to the key escrow request and escrow information of the key;

按照预设助记词生成算法生成所述密钥对应的助记词;Generate the mnemonic corresponding to the key according to the preset mnemonic generation algorithm;

根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;Process the mnemonic according to the key escrow information, obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the blockchain node corresponding to the key escrow information;

在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;When receiving a key acquisition request, send an acquisition request to the blockchain node, and receive a sub-secret fed back by the blockchain node based on the acquisition request;

根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。The mnemonic is recovered from the sub-secret, and the key is recovered based on the mnemonic.

在一实施例中,所述按照预设助记词生成算法生成所述密钥对应的助记词的步骤,包括:In one embodiment, the step of generating a mnemonic corresponding to the key according to a preset mnemonic generation algorithm includes:

按照预设助记词生成算法产生随机序列的熵,对所述熵进行哈希计算得到熵哈希值,并获取所述熵哈希值前m位作为校验和,其中,所述m大于或等于1;Generate the entropy of the random sequence according to the preset mnemonic generation algorithm, perform hash calculation on the entropy to obtain an entropy hash value, and obtain the first m bits of the entropy hash value as a checksum, where m is greater than or equal to 1;

将所述校验和添加到所述熵的末尾得到序列编号,将所述序列编号进行划分得到编号单元;The checksum is added to the end of the entropy to obtain a sequence number, and the sequence number is divided to obtain a numbering unit;

将所述编号单元与预设字典作对应得到有顺序的字符串,并将所述字符串作为助记词。Corresponding the numbering unit with a preset dictionary to obtain an ordered character string, and using the character string as a mnemonic.

在一实施例中,所述根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点的步骤,包括:In an embodiment, the mnemonic is processed according to the key escrow information to obtain a sub-secret corresponding to the mnemonic, and the sub-secret is sent to the corresponding mnemonic of the key escrow information. The steps of a blockchain node, including:

提取所述密钥托管信息中的节点数量n和门限值t,其中,所述节点数量n大于或等于所述门限值t,所述门限值t是指用于恢复助记词的必要区块链节点数;Extract the number of nodes n and the threshold value t in the key escrow information, where the number of nodes n is greater than or equal to the threshold value t, and the threshold value t refers to the value used to restore the mnemonic. The number of necessary blockchain nodes;

将所述助记词进行编码形成数值型主秘密s,选择所述门限值t-1个系数,并用所述系数构造t-1阶多项式,其中,所述系数为a1、a2直至at-1,所述多项式为f(x)=s+a1*x+a2*x2+at-1*xt-1;Encode the mnemonic to form a numerical master secret s, select the threshold t-1 coefficients, and use the coefficients to construct a t-1 order polynomial, wherein the coefficients are a1, a2 until at- 1. The polynomial is f(x)=s+a1*x+a2*x2+at-1*xt-1;

将所述多项式中的自变量和因变量作为一个子秘密,将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式。Taking the independent variable and dependent variable in the polynomial as a sub-secret, sending the sub-secret to the blockchain node corresponding to the number of nodes n, and destroying the polynomial.

在一实施例中,所述将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式的步骤,包括:In one embodiment, the step of sending the sub-secret to the blockchain node corresponding to the number of nodes n and destroying the polynomial includes:

确定所述节点数量n对应的区块链节点,及所述区块链节点关注的主题名称;Determine the blockchain node corresponding to the number of nodes n, and the topic name concerned by the blockchain node;

按照区块链的链上信使协议连接所述区块链节点,通过所述主题名称通道将所述主题名称对应的子秘密,发送至所述区块链节点,并销毁所述多项式。The blockchain node is connected according to the on-chain messenger protocol of the blockchain, the sub-secret corresponding to the topic name is sent to the blockchain node through the topic name channel, and the polynomial is destroyed.

在一实施例中,所述在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密的步骤,包括:In one embodiment, the step of sending an acquisition request to the blockchain node when receiving a key acquisition request, and receiving the sub-secret fed back by the blockchain node based on the acquisition request, includes:

在接收到密钥获取请求时,从所述节点数量n个区块链节点中选择所述门限值t个目标区块链节点;When receiving the key acquisition request, select the threshold value t target blockchain nodes from the node number n blockchain nodes;

向所述目标区块链节点发送获取请求,通过所述门限值t个链上信使通道获取所述目标区块链节点基于所述获取请求反馈的子秘密。Send an acquisition request to the target blockchain node, and acquire the sub-secret fed back by the target blockchain node based on the acquisition request through the threshold t on-chain messenger channels.

在一实施例中,所述根据所述子秘密恢复所述助记词的步骤,包括:In one embodiment, the step of recovering the mnemonic according to the sub-secret includes:

通过所述门限值t个子秘密重构多项式,其中,所述子秘密为自变量i和因变量f(i),所述重构的多项式为:The polynomial is reconstructed by the threshold t sub-secrets, wherein the sub-secrets are the independent variable i and the dependent variable f(i), and the reconstructed polynomial is:

Figure BDA0002277710440000031
Figure BDA0002277710440000031

通过所述重构的多项式计算得到所述数值型主秘密s=f(0),并将所述数值型主秘密s转为为助记词。The numerical master secret s=f(0) is obtained by calculating the reconstructed polynomial, and the numerical master secret s is converted into a mnemonic.

在一实施例中,所述基于所述助记词恢复所述密钥的步骤,包括:In one embodiment, the step of recovering the key based on the mnemonic includes:

将所述助记词划分为消息和字符串,通过调用函数迭代所述字符串,生成字符串种子;Divide the mnemonic into a message and a string, and iterate the string by calling a function to generate a string seed;

将所述字符串种子分隔为主私钥,和所述主私钥对应的链码,其中,所述链码用于根据所述主私钥生成子私钥;Separating the string seed into a master private key and a chain code corresponding to the master private key, wherein the chain code is used to generate a sub-private key according to the master private key;

根据预设的私钥派生算法派生子私钥,将所述子私钥作为所述获取请求对应的密钥。A sub-private key is derived according to a preset private key derivation algorithm, and the sub-private key is used as the key corresponding to the acquisition request.

此外,为实现上述目的,本发明还提供一种种基于区块链的密钥管理装置,所述基于区块链的密钥管理装置包括:In addition, in order to achieve the above object, the present invention also provides a kind of key management device based on blockchain, and the key management device based on blockchain includes:

第一接收模块,用于在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;a first receiving module, configured to obtain a key corresponding to the key escrow request and escrow information of the key when receiving a key escrow request;

助记词生成模块,用于按照预设助记词生成算法生成所述密钥对应的助记词;a mnemonic generation module, configured to generate a mnemonic corresponding to the key according to a preset mnemonic generation algorithm;

处理发送模块,用于根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;A processing and sending module, configured to process the mnemonic according to the key escrow information, obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the block corresponding to the key escrow information chain node;

第二接收模块,用于在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;A second receiving module, configured to send an acquisition request to the blockchain node when receiving a key acquisition request, and receive a sub-secret fed back by the blockchain node based on the acquisition request;

密钥恢复模块,用于根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。A key recovery module, configured to recover the mnemonic according to the sub-secret, and recover the key based on the mnemonic.

此外,为实现上述目的,本发明还提供一种基于区块链的密钥管理设备,所述基于区块链的密钥管理设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的基于区块链的密钥管理程序,所述基于区块链的密钥管理程序被所述处理器执行时实现如上所述的基于区块链的密钥管理方法的步骤。In addition, in order to achieve the above object, the present invention also provides a blockchain-based key management device, the blockchain-based key management device includes: a memory, a processor, and a device stored on the memory and available in The blockchain-based key management program running on the processor, when the blockchain-based key management program is executed by the processor, implements the above-mentioned blockchain-based key management method. step.

此外,为实现上述目的,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有基于区块链的密钥管理程序,所述基于区块链的密钥管理程序被处理器执行时实现如上所述的基于区块链的密钥管理方法的步骤。In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium, on which is stored a blockchain-based key management program, the blockchain-based key management program The steps when executed by the processor implement the blockchain-based key management method described above.

本发明提供一种基于区块链的密钥管理方法、装置、设备及计算机介质。本发明实施例中在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;按照预设助记词生成算法生成所述密钥对应的助记词;根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。本实施例中密钥管理设备将密钥转化成助记词,将助记词进行处理生成子秘密,密钥管理设备基于区块链的链上信使协议分发子秘密,同时支持找回机制;密钥管理设备可以向托管的区块链节点,获取子秘密用子秘密恢复助记词以恢复密钥,实现了有效、安全、可靠和便捷的托管密钥托管,避免了永久性丢失账户。The present invention provides a blockchain-based key management method, device, device and computer medium. In the embodiment of the present invention, when a key escrow request is received, the key corresponding to the key escrow request and the escrow information of the key are obtained; and the key corresponding to the key is generated according to a preset mnemonic generation algorithm. mnemonic; process the mnemonic according to the key escrow information, obtain the sub-secret corresponding to the mnemonic, and send the sub-secret to the blockchain node corresponding to the key escrow information ; When receiving a key acquisition request, send an acquisition request to the blockchain node, and receive a sub-secret fed back by the blockchain node based on the acquisition request; recover the mnemonic according to the sub-secret , recover the key based on the mnemonic. In this embodiment, the key management device converts the key into a mnemonic, and processes the mnemonic to generate a sub-secret, and the key management device distributes the sub-secret based on the on-chain messenger protocol of the blockchain, and supports a retrieval mechanism at the same time; The key management device can obtain the sub-secret and use the sub-secret recovery mnemonic to restore the key from the escrow blockchain node, which realizes effective, safe, reliable and convenient escrow key escrow, and avoids permanent loss of accounts.

附图说明Description of drawings

图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图;1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention;

图2为本发明基于区块链的密钥管理方法第一实施例的流程示意图;2 is a schematic flowchart of the first embodiment of the blockchain-based key management method of the present invention;

图3为本发明基于区块链的密钥管理装置一实施例的功能模块示意图。FIG. 3 is a schematic diagram of functional modules of an embodiment of a blockchain-based key management device of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the present invention will be further described with reference to the accompanying drawings in conjunction with the embodiments.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

如图1所示,图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图。As shown in FIG. 1 , FIG. 1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention.

本发明实施例基于区块链的密钥管理设备可以是PC机或服务器。The blockchain-based key management device in this embodiment of the present invention may be a PC or a server.

如图1所示,该基于区块链的密钥管理设备可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1 , the blockchain-based key management device may include: a processor 1001 , such as a CPU, a network interface 1004 , a user interface 1003 , a memory 1005 , and a communication bus 1002 . Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (eg, a WI-FI interface). The memory 1005 may be high-speed RAM memory, or may be non-volatile memory, such as disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

本领域技术人员可以理解,图1中示出的设备结构并不构成对设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the device structure shown in FIG. 1 does not constitute a limitation on the device, and may include more or less components than the one shown, or combine some components, or arrange different components.

如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及基于区块链的密钥管理程序。As shown in FIG. 1 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a blockchain-based key management program.

在图1所示的设备中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的基于区块链的密钥管理程序,并执行下述基于区块链的密钥管理方法中的操作,在所述处理器上运行的基于区块链的密钥管理程序被执行时所实现的方法可参照本发明基于区块链的密钥管理方法各个实施例,此处不再赘述。In the device shown in FIG. 1 , the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the user interface 1003 is mainly used to connect to the client (client) and perform data communication with the client; and the processor 1001 can be used to call the blockchain-based key management program stored in the memory 1005, and perform the operations in the following blockchain-based key management method, the blockchain-based key management program running on the processor. For the method implemented when the key management program is executed, reference may be made to the various embodiments of the blockchain-based key management method of the present invention, which will not be repeated here.

当前通常采用随机密钥管理方案和确定性分层密钥管理方案等,随机密钥管理方案是指通过某一随机算法控制的密钥产生方法这一类密钥产生方法是目前最常见的一类密钥产生方法,它依据某一事先确定的随机算法或者随机数表产生密钥,但是,由于算法自身的特征,任何算法所产生的密钥都是可以被预测的。确定性分层密钥管理可以由一个助记词开始,助记词生成一个种子,种子再生成主私钥,通过主私钥派生子私钥,子私钥可以继续派生子私钥,发送交易时选择一个新的子私钥签名即可。助记词保持不变,用户需要保存助记词,但不需要保存主私钥及其子私钥,解决了随机密钥管理的缺点,用户不用管理大量的私钥,只需要保存一个不变的助记词。但同时引入了新的问题,即,如果助记词丢失,这样就会丢失由该助记词派生的所有私钥,及失去私钥对应账户的所有权和使用权,这种确定性分层进行密钥管理方式损失将大于随机密钥管理的方案。At present, random key management schemes and deterministic hierarchical key management schemes are usually used. The random key management scheme refers to a key generation method controlled by a random algorithm. This type of key generation method is currently the most common one. Class key generation method, it generates keys according to a predetermined random algorithm or random number table, but due to the characteristics of the algorithm itself, the keys generated by any algorithm can be predicted. Deterministic hierarchical key management can start with a mnemonic, the mnemonic generates a seed, the seed generates a master private key, and the sub-private key is derived from the master private key, and the sub-private key can continue to derive sub-private keys and send transactions You can choose a new sub-private key to sign. The mnemonic remains unchanged, the user needs to save the mnemonic, but does not need to save the master private key and its sub-private keys, which solves the shortcomings of random key management. Users do not need to manage a large number of private keys, but only need to save one constant mnemonic. But at the same time, a new problem is introduced, that is, if the mnemonic is lost, all the private keys derived from the mnemonic will be lost, and the ownership and use rights of the account corresponding to the private key will be lost. The loss of key management will be greater than that of random key management.

本发明实施例的方案是针对确定性分层密钥管理方案进行的改进,本发明涉及到基于区块链的密钥管理方法,设计一种支持确定性分层密钥管理中助记词的安全找回机制,通过门限加解密技术可以有效保护用户的助记词,进而保护私钥,从而有效地避免用户永久性丢失账户。The scheme of the embodiment of the present invention is an improvement on the deterministic hierarchical key management scheme. The present invention relates to a blockchain-based key management method, and designs a method that supports mnemonic words in deterministic hierarchical key management. The security retrieval mechanism can effectively protect the user's mnemonic phrase through the threshold encryption and decryption technology, thereby protecting the private key, thereby effectively preventing the user from permanently losing the account.

基于上述硬件结构,提出本发明基于区块链的密钥管理方法实施例。Based on the above hardware structure, an embodiment of the blockchain-based key management method of the present invention is proposed.

参照图2,图2为本发明基于区块链的密钥管理方法第一实施例的流程示意图,所述基于区块链的密钥管理方法包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of the first embodiment of the blockchain-based key management method of the present invention. The blockchain-based key management method includes:

步骤S10,在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息。Step S10, when a key escrow request is received, obtain a key corresponding to the key escrow request and escrow information of the key.

本实施例中基于区块链的密钥管理方法应用于基于区块链的密钥管理设备,密钥管理设备接收密钥托管请求,密钥托管请求的触发方式不作具体限定,即,密钥托管请求可以是用户主动触发的,例如,用户在业务节点(又叫交易终端)的显示界面上,选中需要托管的密钥并点击“管理”按键,主动触发密钥托管请求,交易终端将密钥托管请求发送至密钥管理设备;此外,密钥托管请求还可以是密钥管理设备自动触发的,例如,密钥管理设备中预先设置每次交易产生新的密钥自动触发托管请求,密钥管理设备在交易产生新的密钥时,自动触发密钥托管请求。The blockchain-based key management method in this embodiment is applied to a blockchain-based key management device, the key management device receives a key escrow request, and the triggering method of the key escrow request is not specifically limited, that is, the key The escrow request can be actively triggered by the user. For example, on the display interface of the business node (also called the trading terminal), the user selects the key that needs to be escrowed and clicks the "Manage" button to actively trigger the key escrow request, and the trading terminal will encrypt the key. The key escrow request is sent to the key management device; in addition, the key escrow request can also be automatically triggered by the key management device. The key management device automatically triggers a key escrow request when a transaction generates a new key.

密钥管理设备在接收到密钥托管请求时,密钥管理设备获取密钥托管请求中的密钥,及密钥的托管信息。其中,所述托管信息包括托管的区块链节点标识,区块链节点数量n和需要恢复密钥的最少区块链节点数量t(又叫门限值t,可以理解的是区块链节点数量n大于等于节点数量t)。When the key management device receives the key escrow request, the key management device obtains the key in the key escrow request and the escrow information of the key. Wherein, the custody information includes the identity of the blockchain node to be hosted, the number of blockchain nodes n and the minimum number of blockchain nodes t (also called the threshold value t, which can be understood as the number of blockchain nodes that need to recover the key) n is greater than or equal to the number of nodes t).

步骤S20,按照预设助记词生成算法生成所述密钥对应的助记词。Step S20, generating a mnemonic corresponding to the key according to a preset mnemonic generating algorithm.

密钥管理设备中预设助记词生成算法,预设助记词生成算法是指预先设置用于生成助记词的随机算法,密钥管理设备按照预设助记词生成算法产生的一组英文单词、中文汉字或其他语言字符作为助记词,本实施例中的助记词中的字符的个数不作具体限定,例如,助记词包含为12个字符,可以理解的是,助记词是非常重要的参数,用户需要妥善保存助记词,用于恢复密钥,从而恢复相关的交易账户。The mnemonic generation algorithm is preset in the key management device. The preset mnemonic generation algorithm refers to a preset random algorithm for generating mnemonic words. The key management device generates a set of mnemonic words according to the preset mnemonic generation algorithm. English words, Chinese characters or characters in other languages are used as mnemonics. The number of characters in the mnemonic in this embodiment is not specifically limited. For example, the mnemonic contains 12 characters. It can be understood that the mnemonic contains 12 characters. The word is a very important parameter, and the user needs to properly save the mnemonic word for the recovery key, thereby recovering the relevant trading account.

本实施例中给出了一种助记词生成的具体实现方式,包括:A specific implementation of mnemonic generation is provided in this embodiment, including:

步骤a1,按照预设助记词生成算法产生随机序列的熵,对所述熵进行哈希计算得到熵哈希值,并获取所述熵哈希值前m位作为校验和,其中,所述m大于或等于1;In step a1, the entropy of the random sequence is generated according to the preset mnemonic generation algorithm, the entropy is hashed to obtain an entropy hash value, and the first m bits of the entropy hash value are obtained as a checksum, wherein the said m is greater than or equal to 1;

步骤a2,将所述校验和添加到所述熵的末尾得到序列编号,将所述序列编号进行划分得到编号单元;Step a2, adding the checksum to the end of the entropy to obtain a sequence number, and dividing the sequence number to obtain a numbering unit;

步骤a3,将所述编号单元与预设字典作对应得到有顺序的字符串,并将所述字符串作为助记词。Step a3: Corresponding the numbering unit with a preset dictionary to obtain an ordered character string, and using the character string as a mnemonic.

即,本实施例中密钥管理设备按照预设助记词生成算法产生随机序列的熵,密钥管理设备对熵进行哈希计算得到熵哈希值,密钥管理设备并获取熵哈希值前m位作为校验和,其中,所述m可以根据熵长度确定,例如,m=熵长度/32,此外,可以理解的是m大于或等于1;密钥管理设备将校验和添加到熵的末尾得到序列编号,将序列编号进行划分得到编号单元;密钥管理设备将编号单元与预设字典(预设字典是指密钥管理设备中预先设置的字典)作对应得到有顺序的字符串,并将字符串作为助记词。That is, in this embodiment, the key management device generates the entropy of the random sequence according to the preset mnemonic generation algorithm, the key management device performs hash calculation on the entropy to obtain the entropy hash value, and the key management device obtains the entropy hash value. The first m bits are used as the checksum, wherein the m can be determined according to the entropy length, for example, m=entropy length/32, in addition, it can be understood that m is greater than or equal to 1; the key management device adds the checksum to the The sequence number is obtained at the end of the entropy, and the sequence number is divided to obtain the numbering unit; the key management device corresponds the numbering unit with the preset dictionary (the preset dictionary refers to the dictionary preset in the key management device) to obtain sequential characters string, and use the string as a mnemonic.

例如,①密钥管理设备按照预设助记词生成算法生成一个长度为128-256位(bits)的随机序列(熵);②密钥管理设备取熵哈希后的前m位作为校验和(m=熵长度/32),就可以创造一个随机序列的校验和;③密钥管理设备将校验和添加在随机序列(熵)的末尾;④密钥管理设备将序列按每11位划分为多个部分;⑤密钥管理设备将每个包含11位不分的值与一个已经预先定义2048个英文单词、中文汉字或其他语言字符的字典作对应;⑥密钥管理设备生成有顺序的英文单词、中文汉字或其他语言字符串就是助记词。示例:随机生成的一个助记词字符串为:ivory behave giggle clerk grocery firm host railchronic off lunar silent。For example, ① the key management device generates a random sequence (entropy) with a length of 128-256 bits (bits) according to the preset mnemonic generation algorithm; ② the key management device takes the first m bits after the entropy hash as a check sum (m=entropy length/32), a checksum of a random sequence can be created; ③ the key management device adds the checksum to the end of the random sequence (entropy); ④ the key management device adds the checksum to the sequence every 11 The bits are divided into multiple parts; ⑤The key management device maps each value containing 11 bits to a dictionary with 2048 English words, Chinese characters or other language characters that have been pre-defined; ⑥The key management device generates a Sequential English words, Chinese characters or other language strings are mnemonics. Example: A randomly generated mnemonic string is: ivory behave giggle clerk grocery firm host railchronic off lunar silent.

本实施例中密钥管理设备将密钥转化为助记词,方便用户进行记忆,当然即使将密钥转化为助记词,还是无法避免助记词忘记的情况,因此,本实施例中通过将助记词进行托管,以方便忘记助记词之后进行助记词的恢复,具体地:In this embodiment, the key management device converts the key into a mnemonic, which is convenient for users to memorize. Of course, even if the key is converted into a mnemonic, the forgetting of the mnemonic cannot be avoided. The mnemonic is managed to facilitate the recovery of the mnemonic after forgetting the mnemonic, specifically:

步骤S30,根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点。Step S30: Process the mnemonic according to the key escrow information to obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the blockchain node corresponding to the key escrow information.

密钥管理设备根据密钥托管信息对助记词处理,即,密钥托管信息中包含托管区块链节点标识和区块链节点数量,密钥管理设备处理助记词生成区块链节点数量个子秘密,密钥管理设备通过链上协议将子秘密分发至区块链节点标识对应的区块链节点。The key management device processes the mnemonic according to the key escrow information, that is, the key escrow information includes the identity of the escrow blockchain node and the number of blockchain nodes, and the key management device processes the mnemonic to generate the number of blockchain nodes A sub-secret, the key management device distributes the sub-secret to the blockchain node corresponding to the blockchain node identifier through the on-chain protocol.

可以理解的是,密钥管理设备根据密钥托管信息对助记词处理,得到助记词对应的子秘密的具体实现方式不作限定,具体地,实现方式一:密钥管理设备对助记词进行划分得到字符串,密钥管理设备将划分后的字符串进行加密处理,得到助记词;实现方式二:密钥管理设备将助记词转化为数值,密钥管理设备按照数值构建多项式,并将构建的多项式作为子秘密。It can be understood that the key management device processes the mnemonic according to the key escrow information, and obtains the specific implementation manner of the sub-secret corresponding to the mnemonic, which is not limited. Divide the character string to obtain the character string, and the key management device encrypts the divided character string to obtain a mnemonic phrase; implementation mode 2: the key management device converts the mnemonic phrase into a numerical value, and the key management device constructs a polynomial according to the numerical value, and use the constructed polynomial as a sub-secret.

本实施例中通过预设助记词生成算法生成助记词,通过对助记词管理实现对密钥的管理,使得用户保持对密钥对应账户的所有权,在用户忘记助记词的时候,可以恢复助记词,具体地:In this embodiment, the mnemonic phrase is generated by a preset mnemonic phrase generation algorithm, and the key is managed by managing the mnemonic phrase, so that the user maintains the ownership of the account corresponding to the key, and when the user forgets the mnemonic phrase, Mnemonics can be recovered, specifically:

步骤S40,在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密。Step S40, when receiving a key acquisition request, send an acquisition request to the blockchain node, and receive a sub-secret fed back by the blockchain node based on the acquisition request.

密钥管理设备在接收到密钥获取请求时,密钥管理设备向区块链节点发送获取请求,区块链节点接收获取请求,并根据链上信使协议分别通过指定通道发送子秘密,密钥管理设备从链上信使通道获取子秘密。When the key management device receives the key acquisition request, the key management device sends the acquisition request to the blockchain node, and the blockchain node receives the acquisition request, and sends the sub-secret and the key through the designated channel according to the on-chain messenger protocol. The management device obtains the sub-secret from the on-chain messenger channel.

步骤S50,根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。Step S50, recovering the mnemonic according to the sub-secret, and recovering the key based on the mnemonic.

密钥管理设备根据子秘密恢复助记词,即,密钥管理设备将子秘密反向处理生成助记词,例如,助记词到子密码是划分加密,则子秘密到助记词是解密拼接,密钥管理设备基于助记词恢复密钥,具体地,包括:The key management device recovers the mnemonic according to the sub-secret, that is, the key management device reversely processes the sub-secret to generate the mnemonic, for example, the mnemonic to the sub-password is partition encryption, and the sub-secret to the mnemonic is decryption. Splicing, the key management device recovers the key based on the mnemonic, specifically, including:

步骤b1,将所述助记词划分为消息和字符串,通过调用函数迭代所述字符串,生成字符串种子;Step b1, the mnemonic is divided into a message and a string, and the string is iterated by calling a function to generate a string seed;

步骤b2,将所述字符串种子分隔为主私钥,和所述主私钥对应的链码,其中,所述链码用于根据所述主私钥生成子私钥;Step b2, separating the string seed into a master private key and a chain code corresponding to the master private key, wherein the chain code is used to generate a sub-private key according to the master private key;

步骤b3,根据预设的私钥派生算法派生子私钥,将所述子私钥作为所述获取请求对应的密钥。Step b3: Derive a sub-private key according to a preset private key derivation algorithm, and use the sub-private key as the key corresponding to the acquisition request.

即,密钥管理设备将助记词划分为消息和字符串,通过调用函数迭代字符串,生成字符串种子;密钥管理设备将字符串种子分隔为主私钥,和主私钥对应的链码,其中,链码用于根据所述主私钥生成子私钥;密钥管理设备预设的私钥派生算法是指预先设置的用于生成算法。That is, the key management device divides the mnemonic into a message and a string, and iterates the string by calling a function to generate a string seed; the key management device separates the string seed into the master private key, and the chain corresponding to the master private key The chain code is used to generate the sub-private key according to the master private key; the private key derivation algorithm preset by the key management device refers to the preset algorithm for generating.

密钥管理设备根据预设的私钥派生算法派生子私钥,将子私钥作为获取请求对应的密钥。The key management device derives the sub-private key according to the preset private key derivation algorithm, and uses the sub-private key as the key corresponding to the acquisition request.

本实施例中密钥管理设备将密钥转化成助记词,将助记词进行处理生成子秘密,密钥管理设备基于区块链的链上信使协议分发子秘密,同时支持找回机制;密钥管理设备可以向托管的区块链节点,获取子秘密用子秘密恢复助记词以恢复密钥,实现了有效、安全、可靠和便捷的托管密钥托管,避免了永久性丢失账户。In this embodiment, the key management device converts the key into a mnemonic, and processes the mnemonic to generate a sub-secret, and the key management device distributes the sub-secret based on the on-chain messenger protocol of the blockchain, and supports a retrieval mechanism at the same time; The key management device can obtain the sub-secret and use the sub-secret recovery mnemonic to restore the key from the escrow blockchain node, which realizes effective, safe, reliable and convenient escrow key escrow, and avoids permanent loss of accounts.

进一步地,在本发明基于区块链的密钥管理方法第一实施例的基础上,提出本发明基于区块链的密钥管理方法第二实施例。Further, based on the first embodiment of the blockchain-based key management method of the present invention, a second embodiment of the blockchain-based key management method of the present invention is proposed.

本实施例与第一实施例的区别在于,本实施例中不需要接收到子秘密的全部区块链节点恢复子秘密,也可以实现密钥的恢复,具体地:The difference between this embodiment and the first embodiment is that in this embodiment, all blockchain nodes that have received the sub-secret do not need to restore the sub-secret, and the key can also be recovered, specifically:

首先,本实施例中对第一实施例中步骤S30进行细化,包括:First, in this embodiment, step S30 in the first embodiment is refined, including:

提取所述密钥托管信息中的节点数量n和门限值t,其中,所述节点数量n大于或等于所述门限值t,所述门限值t是指用于恢复助记词的必要区块链节点数。Extract the number of nodes n and the threshold value t in the key escrow information, where the number of nodes n is greater than or equal to the threshold value t, and the threshold value t refers to the value used to restore the mnemonic. Required number of blockchain nodes.

将所述助记词进行编码形成数值型主秘密s,选择所述门限值t-1个系数,并用所述系数构造t-1阶多项式,其中,所述系数为a1、a2直至at-1,所述多项式为f(x)=s+a1*x+a2*x2+at-1*xt-1。Encode the mnemonic to form a numerical master secret s, select the threshold t-1 coefficients, and use the coefficients to construct a t-1 order polynomial, wherein the coefficients are a1, a2 until at- 1. The polynomial is f(x)=s+a1*x+a2*x2+at-1*xt-1.

将所述多项式中的自变量和因变量作为一个子秘密,将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式。Taking the independent variable and dependent variable in the polynomial as a sub-secret, sending the sub-secret to the blockchain node corresponding to the number of nodes n, and destroying the polynomial.

即,密钥管理设备提取密钥托管信息中的节点数量n和门限值t,进行门限加密助记词具体流程如下:That is, the key management device extracts the number of nodes n and the threshold value t in the key escrow information, and performs the threshold encryption mnemonic. The specific process is as follows:

1、密钥管理设备选定区块链节点节点数量n和门限值t,即n个区块链节点中至少有t个区块链节点均提供子秘密才可以恢复助记词。其中,t个区块链节点可以由密钥管理设备控制或者其他联盟链参与方控制;1. The key management device selects the number of blockchain nodes n and the threshold value t, that is, at least t of the n blockchain nodes provide sub-secrets before the mnemonic can be recovered. Among them, t blockchain nodes can be controlled by key management equipment or other consortium chain participants;

2、密钥管理设备将助记词进行编码为数值型主秘密s,然后选择t-1个系数a1,a2,…at-1,构造t-1阶多项式为:f(x)=s+a1*x+a2*x2+at-1*xt-1。2. The key management device encodes the mnemonic into a numerical master secret s, and then selects t-1 coefficients a1, a2, ... at-1, and constructs a t-1 order polynomial as: f(x)=s+ a1*x+a2*x2+at-1*xt-1.

密钥管理设备选择n个区块链节点,区块链节点标识分别为P1,P2,…,Pn,密钥管理设备将多项式中的自变量和因变量作为一个子秘密,密钥管理设备基于区块链通信协议将子秘密发送至节点数量n对应的区块链节点,并销毁所述多项式,例如,Pi分配到的子秘密为(i,f(i)),其中1<=i1<i2<…<=n。n个子秘密类似于子私钥,区块链节点各自妥善保存,然后密钥管理设备销毁多项式。The key management device selects n blockchain nodes, and the blockchain node identifiers are P1, P2, ..., Pn respectively. The key management device takes the independent variable and dependent variable in the polynomial as a sub-secret, and the key management device is based on The blockchain communication protocol sends the sub-secret to the blockchain node corresponding to the number of nodes n, and destroys the polynomial. For example, the sub-secret assigned by Pi is (i, f(i)), where 1<=i1< i2<...<=n. The n sub-secrets are similar to sub-private keys, which are properly kept by the blockchain nodes, and then the key management device destroys the polynomial.

基于区块链分发子秘密具体流程如下:The specific process of distributing sub-secrets based on the blockchain is as follows:

1、密钥管理设备利用区块链的链上信使协议分发子秘密,密钥管理设备通过区块链工具包(SDK)连接一个区块链节点,其他区块链SDK分别连接其他区块链节点。1. The key management device uses the on-chain messenger protocol of the blockchain to distribute sub-secrets. The key management device is connected to a blockchain node through the blockchain toolkit (SDK), and other blockchain SDKs are connected to other blockchains respectively. node.

2、密钥管理设备确定各自区块链SDK关注的主题(topic)名称,如子秘密(i,f(i))对应的topic名称为share_i。然后其他区块链SDK将开启各自区块链的链上信使协议的服务端,服务端关注各自确定的topic。最后密钥管理设备通过区块链SDK开启链上信使协议客户端,并分别通过指定topic名称为ahare_i的通道发送子秘密(i,f(i)),其他区块链节点均通过SDK监听的topic通道收到密钥管理设备发送过来的子秘密。各通道共享区块链网络,但彼此之间相互隔离,因此每个区块链节点的子秘密均不同,然后各自将子秘密进行本地保存。至此,基于区块链的链上信使协议分发子秘密完成。2. The key management device determines the name of the topic concerned by the respective blockchain SDKs. For example, the topic name corresponding to the sub-secret (i, f(i)) is share_i. Then other blockchain SDKs will open the server side of the on-chain messenger protocol of their respective blockchains, and the server side will pay attention to their respective determined topics. Finally, the key management device opens the on-chain messenger protocol client through the blockchain SDK, and sends the sub-secret (i, f(i)) through the channel with the specified topic name ahare_i, and other blockchain nodes listen through the SDK. The topic channel receives the sub-secret sent by the key management device. Each channel shares the blockchain network, but is isolated from each other, so each blockchain node has a different sub-secret, which is then stored locally. At this point, the blockchain-based on-chain messenger protocol distributor is secretly completed.

例如,1、密钥管理设备将助记词编码形成数值型主秘密s为100,选择门限为(n,t)=(4,3),即n为4,t为3。因此,需要将数值型主秘密s分为4个子秘密,恢复时至少需要3个子秘密。可以构造t-1阶,即3-1=2阶多项式,设多项式系数为5、3,则多项式为:f(x)=100+5*x+3*x2。因此,4个子秘密分别可以选为:(1,f(1))=(1,108),(2,f(2))=(2,122),(3,f(3))=(3,142)和(4,f(4))=(4,168);2、密钥管理设备选择区块链中4个节点进行子秘密保存,连接4个节点的区块链SDK分别关注topic为share_1、share_2、share_3和share_4,并均开启链上信使协议服务端。密钥管理设备通过区块链SDK开启链上信使协议客户端,分别向topic为share_1、share_2、share_3和share_4发送(1,108)、(2,122)、(3,142)和(4,168),链上信使协议服务端收到相应子秘密然后本地保存,并销毁多项式。For example, 1. The key management device encodes the mnemonic to form a numerical master secret s of 100, and the selection threshold is (n, t)=(4, 3), that is, n is 4 and t is 3. Therefore, the numerical master secret s needs to be divided into 4 sub-secrets, and at least 3 sub-secrets are required for recovery. A t-1-order polynomial can be constructed, that is, 3-1=2-order polynomial. If the polynomial coefficients are 5 and 3, the polynomial is: f(x)=100+5*x+3*x2. Therefore, the four sub-secrets can be selected as: (1,f(1))=(1,108), (2,f(2))=(2,122), (3,f(3))=(3,142) and ( 4,f(4))=(4,168); 2. The key management device selects 4 nodes in the blockchain for sub-secret storage, and the blockchain SDK connecting the 4 nodes pays attention to the topics share_1, share_2, share_3 and share_4, and both enable the on-chain messenger protocol server. The key management device opens the on-chain messenger protocol client through the blockchain SDK, and sends (1,108), (2,122), (3,142) and (4,168) to the topics share_1, share_2, share_3 and share_4 respectively, and the on-chain messenger protocol service The terminal receives the corresponding sub-secret and saves it locally, and destroys the polynomial.

其次,本实施例中针对第一实施例中步骤S40进行细化:Next, in this embodiment, step S40 in the first embodiment is refined:

在接收到密钥获取请求时,从所述节点数量n个区块链节点中选择所述门限值t个目标区块链节点。When a key acquisition request is received, the threshold t target blockchain nodes are selected from the number of n blockchain nodes.

向所述目标区块链节点发送获取请求,通过所述门限值t个链上信使通道获取所述目标区块链节点基于所述获取请求反馈的子秘密。Send an acquisition request to the target blockchain node, and acquire the sub-secret fed back by the target blockchain node based on the acquisition request through the threshold t on-chain messenger channels.

即,请求子秘密并恢复助记词,若密钥管理设备丢失保存的助记词,则可以通过n个区块链节点中的至少t个区块链节点请求获取t个子秘密。基于区块链请求子秘密具体流程如下:That is, to request a sub-secret and restore the mnemonic, if the key management device loses the stored mnemonic, it can request to obtain t sub-secrets through at least t blockchain nodes among the n blockchain nodes. The specific process of requesting a sub-secret based on the blockchain is as follows:

1)密钥管理设备通过区块链SDK开启链上信使协议服务端,并关注t个topic,topic名称为share_i,其他区块链SDK开启链上信使协议客户端,分别向topic名称为share_i的通道发送子秘密(i,f(i))。1) The key management device opens the on-chain messenger protocol server through the blockchain SDK, and pays attention to t topics, the topic name is share_i, and other blockchain SDKs open the on-chain messenger protocol client, respectively to the topic named share_i The channel sends the sub-secret (i,f(i)).

2)密钥管理设备通过区块链SDK,从t个链上信使通道获取t个子秘密。2) The key management device obtains t sub-secrets from t on-chain messenger channels through the blockchain SDK.

再次,本实施例对第一实施例中步骤S50进行细化,包括:Again, this embodiment refines step S50 in the first embodiment, including:

通过所述门限值t个子秘密重构多项式,其中,所述子秘密为自变量i和因变量f(i),所述重构的多项式为:The polynomial is reconstructed by the threshold t sub-secrets, wherein the sub-secrets are the independent variable i and the dependent variable f(i), and the reconstructed polynomial is:

Figure BDA0002277710440000111
Figure BDA0002277710440000111

通过所述重构的多项式计算得到所述数值型主秘密s=f(0),并将所述数值型主秘密s转为为助记词。The numerical master secret s=f(0) is obtained by calculating the reconstructed polynomial, and the numerical master secret s is converted into a mnemonic.

具体地,助记词恢复流程,通过区块链t个节点获取t个子秘密(i,f(i)),则可以重构多项式:Specifically, in the mnemonic recovery process, t sub-secrets (i, f(i)) are obtained through t nodes in the blockchain, and the polynomial can be reconstructed:

然后计算出数值型主秘密ss=f(0)。最后通过s转为为助记词。这样既为密钥管理设备的助记词提供了恢复机制,又避免单个节点直接获取密钥管理设备助记词,防止作恶节点。并且提供了一种灵活的容错机制,即密钥管理设备可以选择区块链节点个数,如果n越大,则容错性越高,但其资源开销越高。Then the numerical master secret ss=f(0) is calculated. Finally, it is converted into a mnemonic through s. This not only provides a recovery mechanism for the mnemonic of the key management device, but also prevents a single node from directly obtaining the mnemonic of the key management device, preventing malicious nodes. It also provides a flexible fault tolerance mechanism, that is, the key management device can choose the number of blockchain nodes. If n is larger, the fault tolerance will be higher, but the resource overhead will be higher.

例如,①密钥管理设备从4个节点选择3个节点请求获取子秘密,比如选择区块链节点1、2和3。密钥管理设备通过区块链SDK连接一个节点,开启链上信使协议服务端,并关注topic名称为share_1、share_2和share_3的通道。连接区块链节点1、2、3的三个区块链SDK开启链上信使协议客户端,分别向topic名称为share_1、share_2和share_3的通道发送(1,108)、(2,122)和(3,142)。则密钥管理设备将通过区块链获取到这三个子秘密。For example, ① the key management device selects 3 nodes from 4 nodes to request to obtain sub-secrets, such as selecting blockchain nodes 1, 2 and 3. The key management device connects to a node through the blockchain SDK, opens the on-chain messenger protocol server, and pays attention to the channels with topic names share_1, share_2 and share_3. The three blockchain SDKs connected to blockchain nodes 1, 2, and 3 open the on-chain messenger protocol client, and send (1,108), (2,122), and (3,142) to the channels with topic names share_1, share_2, and share_3, respectively. Then the key management device will obtain the three sub-secrets through the blockchain.

②通过三个子秘密,重构多项式如下:②Through three sub-secrets, reconstruct the polynomial as follows:

则恢复的主秘密s:Then the recovered master secret s:

Figure BDA0002277710440000123
Figure BDA0002277710440000123

助记词生成种子:密钥管理设备选择用密码保护他们的助记词。如果密码不存在,则使用空字符串代替。通过助记词创建一个种子,可以使用助记符作为消息m和字符串“mnemonic”+passphrase(密码)作为盐salt来调用PBKDF2函数,迭代n次(如2048次),利用HMAC-SHA512派生klen(=512)位的字符串种子seed。即seed=PBKDF2(HMAC-SHA512,m,salt,n,klen),其中HMAC-SHA512接收消息m和salt,迭代计算n次,产生klen位字符串种子。Mnemonic Generation Seeds: Key management devices choose to password protect their mnemonics. If the password does not exist, an empty string is used instead. To create a seed by a mnemonic, you can use the mnemonic as the message m and the string "mnemonic" + passphrase (passphrase) as the salt to call the PBKDF2 function, iterate n times (such as 2048 times), and use HMAC-SHA512 to derive klen (=512) bit string seed seed. That is, seed=PBKDF2(HMAC-SHA512, m, salt, n, klen), wherein HMAC-SHA512 receives messages m and salt, and iteratively calculates n times to generate a klen bit string seed.

种子生成主私钥:种子为512位,分隔为左右各256位,分别记为IL和IR。其中主私钥M=IL,主私钥对应的链码C=IR,其中链码为盲化因子,用于产生子私钥。The seed generates the master private key: the seed is 512 bits, which are separated into 256 bits on the left and right, respectively recorded as IL and IR. Wherein the master private key M=IL, the chain code corresponding to the master private key C=IR, wherein the chain code is a blinding factor used to generate the sub-private key.

主私钥派生子私钥:主私钥记为Kpar,主链码为Cpar,第一次派生由主私钥开始,即Kpar=M,Cpar=C。设i为子私钥序号,私钥派生算法如下:The master private key is derived from the sub-private key: the master private key is recorded as Kpar, the main chain code is Cpar, and the first derivation starts from the master private key, that is, Kpar=M, Cpar=C. Let i be the serial number of the sub-private key, and the private key derivation algorithm is as follows:

①I=HMAC-SHA512(Key=Cpar,Data=Kpar||i),I为512位序列。①I=HMAC-SHA512 (Key=Cpar, Data=Kpar||i), I is a 512-bit sequence.

②分隔I为左右各256位,分别记为IL和IR,则子私钥Ki=IL+Kpar,子链码Ci=IR。②The separation I is 256 bits on the left and right, respectively denoted as IL and IR, then the sub-private key Ki=IL+Kpar, and the sub-chain code Ci=IR.

③循环①②可以由子私钥继续派生子私钥。密钥管理设备发送交易时,每次均可以选择其中一个子私钥签名交易,则交易的发送者的账户地址就对应于该私钥产生的公钥。由于每次私钥不同,其对应的公钥不同,则公钥对应的账户地址也将不相同,达到保护用户交易隐私性的功能。③The cycle ①② can continue to derive the child private key from the child private key. When the key management device sends a transaction, one of the sub-private keys can be selected to sign the transaction each time, and the account address of the sender of the transaction corresponds to the public key generated by the private key. Since each private key is different and the corresponding public key is different, the account address corresponding to the public key will also be different, so as to protect the privacy of user transactions.

本实施例中在充分利用确定性分层密钥管理方案的基础上引入门限加密技术,让密钥管理设备易于使用大量私钥的同时,提供助记词的托管方式。当用户遗失助记词时提供一种恢复助记词的核心机制,基于门限加密的密钥托管方案安全性更好,更稳定。In this embodiment, a threshold encryption technology is introduced on the basis of making full use of the deterministic hierarchical key management scheme, so that the key management device is easy to use a large number of private keys, and at the same time, the custody mode of the mnemonic is provided. Provides a core mechanism for recovering the mnemonic when the user loses the mnemonic. The key escrow scheme based on threshold encryption is more secure and stable.

参考图3,本发明实施例还提供一种基于区块链的密钥管理装置,所述基于区块链的密钥管理装置包括:Referring to FIG. 3 , an embodiment of the present invention further provides a blockchain-based key management device, where the blockchain-based key management device includes:

第一接收模块10,用于在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;The first receiving module 10 is configured to, when receiving a key escrow request, obtain a key corresponding to the key escrow request, and escrow information of the key;

助记词生成模块20,用于按照预设助记词生成算法生成所述密钥对应的助记词;The mnemonic generation module 20 is used to generate the mnemonic corresponding to the key according to the preset mnemonic generation algorithm;

处理发送模块30,用于根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;The processing and sending module 30 is configured to process the mnemonic according to the key escrow information, obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the area corresponding to the key escrow information blockchain node;

第二接收模块40,用于在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;The second receiving module 40 is configured to send an acquisition request to the blockchain node when receiving the key acquisition request, and receive the sub-secret fed back by the blockchain node based on the acquisition request;

密钥恢复模块50,用于根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。The key recovery module 50 is configured to recover the mnemonic according to the sub-secret, and recover the key based on the mnemonic.

在一实施例中,所述助记词生成模块20,包括:In one embodiment, the mnemonic generation module 20 includes:

哈希计算单元,用于按照预设助记词生成算法产生随机序列的熵,对所述熵进行哈希计算得到熵哈希值,并获取所述熵哈希值前m位作为校验和,其中,所述m大于或等于1;A hash calculation unit, configured to generate the entropy of a random sequence according to a preset mnemonic generation algorithm, perform hash calculation on the entropy to obtain an entropy hash value, and obtain the first m bits of the entropy hash value as a checksum , wherein the m is greater than or equal to 1;

编号获取单元,用于将所述校验和添加到所述熵的末尾得到序列编号,将所述序列编号进行划分得到编号单元;A number acquisition unit, for adding the checksum to the end of the entropy to obtain a sequence number, and dividing the sequence number to obtain a number unit;

助记词生成单元,用于将所述编号单元与预设字典作对应得到有顺序的字符串,并将所述字符串作为助记词。The mnemonic generating unit is used for corresponding the numbering unit and the preset dictionary to obtain an ordered character string, and using the character string as the mnemonic.

在一实施例中,所述处理发送模块30,包括:In one embodiment, the processing and sending module 30 includes:

信息提取子模块,用于提取所述密钥托管信息中的节点数量n和门限值t,其中,所述节点数量n大于或等于所述门限值t,所述门限值t是指用于恢复助记词的必要区块链节点数;An information extraction submodule, configured to extract the number of nodes n and the threshold value t in the key escrow information, where the number of nodes n is greater than or equal to the threshold value t, and the threshold value t refers to The number of necessary blockchain nodes for recovering the mnemonic;

多项式构造子模块,用于将所述助记词进行编码形成数值型主秘密s,选择所述门限值t-1个系数,并用所述系数构造t-1阶多项式,其中,所述系数为a1、a2直至at-1,所述多项式为f(x)=s+a1*x+a2*x2+at-1*xt-1;A polynomial construction submodule, configured to encode the mnemonic to form a numerical master secret s, select the threshold value t-1 coefficients, and use the coefficients to construct a t-1 order polynomial, wherein the coefficients For a1, a2 up to at-1, the polynomial is f(x)=s+a1*x+a2*x2+at-1*xt-1;

发送销毁子模块,用于将所述多项式中的自变量和因变量作为一个子秘密,将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式。The sending and destroying sub-module is used for taking the independent variable and the dependent variable in the polynomial as a sub-secret, sending the sub-secret to the blockchain node corresponding to the number of nodes n, and destroying the polynomial.

在一实施例中,所述发送销毁子模块,包括:In one embodiment, the sending and destroying submodule includes:

节点确定单元,用于确定所述节点数量n对应的区块链节点,及所述区块链节点关注的主题名称;A node determination unit, configured to determine the blockchain node corresponding to the number of nodes n, and the topic name concerned by the blockchain node;

发送销毁模块,用于按照区块链的链上信使协议连接所述区块链节点,通过所述主题名称通道将所述主题名称对应的子秘密,发送至所述区块链节点,并销毁所述多项式。The sending and destroying module is used to connect the blockchain node according to the on-chain messenger protocol of the blockchain, send the sub-secret corresponding to the topic name to the blockchain node through the topic name channel, and destroy it the polynomial.

在一实施例中,所述第二接收模块,包括:In one embodiment, the second receiving module includes:

节点选择单元,用于在接收到密钥获取请求时,从所述节点数量n个区块链节点中选择所述门限值t个目标区块链节点;a node selection unit, configured to select the threshold value t target blockchain nodes from the node number n blockchain nodes when receiving the key acquisition request;

子密码获取单元,用于向所述目标区块链节点发送获取请求,通过所述门限值t个链上信使通道获取所述目标区块链节点基于所述获取请求反馈的子秘密。A sub-password acquisition unit, configured to send an acquisition request to the target blockchain node, and acquire the sub-secret fed back by the target blockchain node based on the acquisition request through the threshold t on-chain messenger channels.

在一实施例中,所述密钥恢复模块,包括:In one embodiment, the key recovery module includes:

多项式构建单元,用于通过所述门限值t个子秘密重构多项式,其中,所述子秘密为自变量i和因变量f(i),所述重构的多项式为:A polynomial construction unit, configured to reconstruct a polynomial through the threshold t sub-secrets, wherein the sub-secrets are an independent variable i and a dependent variable f(i), and the reconstructed polynomial is:

Figure BDA0002277710440000151
Figure BDA0002277710440000151

助记词生成单元,用于通过所述重构的多项式计算得到所述数值型主秘密s=f(0),并将所述数值型主秘密s转为为助记词。A mnemonic generating unit, configured to obtain the numerical master secret s=f(0) through the reconstructed polynomial calculation, and convert the numerical master secret s into a mnemonic.

在一实施例中,所述密钥恢复模块,包括:In one embodiment, the key recovery module includes:

助记词生成单元,用于将所述助记词划分为消息和字符串,通过调用函数迭代所述字符串,生成字符串种子;a mnemonic generating unit, for dividing the mnemonic into a message and a string, and iterating the string by calling a function to generate a string seed;

字符串分隔单元,用于将所述字符串种子分隔为主私钥,和所述主私钥对应的链码,其中,所述链码用于根据所述主私钥生成子私钥;a string separation unit, configured to separate the string seed into a master private key and a chain code corresponding to the master private key, wherein the chain code is used to generate a sub-private key according to the master private key;

密钥生成单元,用于根据预设的私钥派生算法派生子私钥,将所述子私钥作为所述获取请求对应的密钥。A key generation unit, configured to derive a sub-private key according to a preset private key derivation algorithm, and use the sub-private key as the key corresponding to the acquisition request.

上述各程序模块所执行的方法可参照本发明基于区块链的密钥管理方法各个实施例,此处不再赘述。For the methods executed by the above program modules, reference may be made to the various embodiments of the blockchain-based key management method of the present invention, which will not be repeated here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or system comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or system. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system that includes the element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台服务器设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本发明各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on this understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art. The computer software products are stored in a storage medium (such as ROM/RAM) as described above. , magnetic disk, optical disk), including several instructions to make a server device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in the various embodiments of the present invention.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied in other related technical fields , are similarly included in the scope of patent protection of the present invention.

Claims (10)

1.一种基于区块链的密钥管理方法,其特征在于,所述基于区块链的密钥管理方法包括如下步骤:1. a blockchain-based key management method, characterized in that the blockchain-based key management method comprises the steps: 在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;When receiving a key escrow request, obtain a key corresponding to the key escrow request and escrow information of the key; 按照预设助记词生成算法生成所述密钥对应的助记词;Generate the mnemonic corresponding to the key according to the preset mnemonic generation algorithm; 根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;Process the mnemonic according to the key escrow information, obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the blockchain node corresponding to the key escrow information; 在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;When receiving a key acquisition request, send an acquisition request to the blockchain node, and receive a sub-secret fed back by the blockchain node based on the acquisition request; 根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。The mnemonic is recovered from the sub-secret, and the key is recovered based on the mnemonic. 2.如权利要求1所述的基于区块链的密钥管理方法,其特征在于,所述按照预设助记词生成算法生成所述密钥对应的助记词的步骤,包括:2. The blockchain-based key management method according to claim 1, wherein the step of generating the mnemonic corresponding to the key according to a preset mnemonic generation algorithm comprises: 按照预设助记词生成算法产生随机序列的熵,对所述熵进行哈希计算得到熵哈希值,并获取所述熵哈希值前m位作为校验和,其中,所述m大于或等于1;Generate the entropy of the random sequence according to the preset mnemonic generation algorithm, perform hash calculation on the entropy to obtain an entropy hash value, and obtain the first m bits of the entropy hash value as a checksum, where m is greater than or equal to 1; 将所述校验和添加到所述熵的末尾得到序列编号,将所述序列编号进行划分得到编号单元;The checksum is added to the end of the entropy to obtain a sequence number, and the sequence number is divided to obtain a numbering unit; 将所述编号单元与预设字典作对应得到有顺序的字符串,并将所述字符串作为助记词。Corresponding the numbering unit with a preset dictionary to obtain an ordered character string, and using the character string as a mnemonic. 3.如权利要求1所述的基于区块链的密钥管理方法,其特征在于,所述根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点的步骤,包括:3. The blockchain-based key management method according to claim 1, wherein the mnemonic is processed according to the key escrow information to obtain a sub-secret corresponding to the mnemonic , and the step of sending the sub-secret to the blockchain node corresponding to the key escrow information includes: 提取所述密钥托管信息中的节点数量n和门限值t,其中,所述节点数量n大于或等于所述门限值t,所述门限值t是指用于恢复助记词的必要区块链节点数;Extract the number of nodes n and the threshold value t in the key escrow information, where the number of nodes n is greater than or equal to the threshold value t, and the threshold value t refers to the value used to restore the mnemonic. The number of necessary blockchain nodes; 将所述助记词进行编码形成数值型主秘密s,选择所述门限值t-1个系数,并用所述系数构造t-1阶多项式,其中,所述系数为a1、a2直至at-1,所述多项式为f(x)=s+a1*x+a2*x2+at-1*xt-1;Encode the mnemonic to form a numerical master secret s, select the threshold t-1 coefficients, and use the coefficients to construct a t-1 order polynomial, wherein the coefficients are a1, a2 until at- 1. The polynomial is f(x)=s+a1*x+a2*x2+at-1*xt-1; 将所述多项式中的自变量和因变量作为一个子秘密,将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式。Taking the independent variable and dependent variable in the polynomial as a sub-secret, sending the sub-secret to the blockchain node corresponding to the number of nodes n, and destroying the polynomial. 4.如权利要求3所述的基于区块链的密钥管理方法,其特征在于,所述将所述子秘密发送至所述节点数量n对应的区块链节点,并销毁所述多项式的步骤,包括:4. The blockchain-based key management method according to claim 3, wherein the sub-secret is sent to the blockchain node corresponding to the number of nodes n, and the polynomial is destroyed. steps, including: 确定所述节点数量n对应的区块链节点,及所述区块链节点关注的主题名称;Determine the blockchain node corresponding to the number of nodes n, and the topic name concerned by the blockchain node; 按照区块链的链上信使协议连接所述区块链节点,通过所述主题名称通道将所述主题名称对应的子秘密,发送至所述区块链节点,并销毁所述多项式。The blockchain node is connected according to the on-chain messenger protocol of the blockchain, the sub-secret corresponding to the topic name is sent to the blockchain node through the topic name channel, and the polynomial is destroyed. 5.如权利要求3所述的基于区块链的密钥管理方法,其特征在于,所述在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密的步骤,包括:5. The blockchain-based key management method according to claim 3, wherein when a key acquisition request is received, an acquisition request is sent to the blockchain node, and the block is received. The steps of the block chain node obtaining the sub-secret that is fed back by the request include: 在接收到密钥获取请求时,从所述节点数量n个区块链节点中选择所述门限值t个目标区块链节点;When receiving the key acquisition request, select the threshold value t target blockchain nodes from the node number n blockchain nodes; 向所述目标区块链节点发送获取请求,通过所述门限值t个链上信使通道获取所述目标区块链节点基于所述获取请求反馈的子秘密。Send an acquisition request to the target blockchain node, and acquire the sub-secret fed back by the target blockchain node based on the acquisition request through the threshold t on-chain messenger channels. 6.如权利要求3所述的基于区块链的密钥管理方法,其特征在于,所述根据所述子秘密恢复所述助记词的步骤,包括:6. The blockchain-based key management method according to claim 3, wherein the step of recovering the mnemonic according to the sub-secret comprises: 通过所述门限值t个子秘密重构多项式,其中,所述子秘密为自变量i和因变量f(i),所述重构的多项式为:The polynomial is reconstructed by the threshold t sub-secrets, wherein the sub-secrets are the independent variable i and the dependent variable f(i), and the reconstructed polynomial is:
Figure FDA0002277710430000021
Figure FDA0002277710430000021
 通过所述重构的多项式计算得到所述数值型主秘密s=f(0),并将所述数值型主秘密s转为为助记词。The numerical master secret s=f(0) is obtained by calculating the reconstructed polynomial, and the numerical master secret s is converted into a mnemonic. 7.如权利要求1至6任意一项所述的基于区块链的密钥管理方法,其特征在于,所述基于所述助记词恢复所述密钥的步骤,包括:7. The blockchain-based key management method according to any one of claims 1 to 6, wherein the step of recovering the key based on the mnemonic comprises: 将所述助记词划分为消息和字符串,通过调用函数迭代所述字符串,生成字符串种子;Divide the mnemonic into a message and a string, and iterate the string by calling a function to generate a string seed; 将所述字符串种子分隔为主私钥,和所述主私钥对应的链码,其中,所述链码用于根据所述主私钥生成子私钥;Separating the string seed into a master private key and a chain code corresponding to the master private key, wherein the chain code is used to generate a sub-private key according to the master private key; 根据预设的私钥派生算法派生子私钥,将所述子私钥作为所述获取请求对应的密钥。A sub-private key is derived according to a preset private key derivation algorithm, and the sub-private key is used as the key corresponding to the acquisition request. 8.一种基于区块链的密钥管理装置,其特征在于,所述基于区块链的密钥管理装置包括:8. A blockchain-based key management device, wherein the blockchain-based key management device comprises: 第一接收模块,用于在接收到密钥托管请求时,获取所述密钥托管请求对应的密钥,及所述密钥的托管信息;a first receiving module, configured to obtain a key corresponding to the key escrow request and escrow information of the key when receiving a key escrow request; 助记词生成模块,用于按照预设助记词生成算法生成所述密钥对应的助记词;a mnemonic generation module, configured to generate a mnemonic corresponding to the key according to a preset mnemonic generation algorithm; 处理发送模块,用于根据所述密钥托管信息对所述助记词处理,得到所述助记词对应的子秘密,并将所述子秘密发送至所述密钥托管信息对应的区块链节点;A processing and sending module, configured to process the mnemonic according to the key escrow information, obtain a sub-secret corresponding to the mnemonic, and send the sub-secret to the block corresponding to the key escrow information chain node; 第二接收模块,用于在接收到密钥获取请求时,向所述区块链节点发送获取请求,并接收所述区块链节点基于所述获取请求反馈的子秘密;A second receiving module, configured to send an acquisition request to the blockchain node when receiving a key acquisition request, and receive a sub-secret fed back by the blockchain node based on the acquisition request; 密钥恢复模块,用于根据所述子秘密恢复所述助记词,基于所述助记词恢复所述密钥。A key recovery module, configured to recover the mnemonic according to the sub-secret, and recover the key based on the mnemonic. 9.一种基于区块链的密钥管理设备,其特征在于,所述基于区块链的密钥管理设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的基于区块链的密钥管理程序,所述基于区块链的密钥管理程序被所述处理器执行时实现如权利要求1至7中任一项所述的基于区块链的密钥管理方法的步骤。9. A blockchain-based key management device, characterized in that the blockchain-based key management device comprises: a memory, a processor, and a device stored on the memory and available on the processor A running blockchain-based key management program that, when executed by the processor, implements the blockchain-based encryption of any one of claims 1 to 7 The steps of the key management method. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有基于区块链的密钥管理程序,所述基于区块链的密钥管理程序被处理器执行时实现如权利要求1至7中任一项所述的基于区块链的密钥管理方法的步骤。10. A computer-readable storage medium, wherein a blockchain-based key management program is stored on the computer-readable storage medium, and when the blockchain-based key management program is executed by a processor Steps for implementing a blockchain-based key management method as claimed in any one of claims 1 to 7.
CN201911128865.5A 2019-11-18 2019-11-18 Block chain-based key management method, device, equipment and computer medium Active CN110838912B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911128865.5A CN110838912B (en) 2019-11-18 2019-11-18 Block chain-based key management method, device, equipment and computer medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911128865.5A CN110838912B (en) 2019-11-18 2019-11-18 Block chain-based key management method, device, equipment and computer medium

Publications (2)

Publication Number Publication Date
CN110838912A true CN110838912A (en) 2020-02-25
CN110838912B CN110838912B (en) 2023-07-21

Family

ID=69576663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911128865.5A Active CN110838912B (en) 2019-11-18 2019-11-18 Block chain-based key management method, device, equipment and computer medium

Country Status (1)

Country Link
CN (1) CN110838912B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112001717A (en) * 2020-10-27 2020-11-27 四川泰立科技股份有限公司 Method, system and storage medium for calculating encryption currency of digital television
CN112291355A (en) * 2020-10-30 2021-01-29 上海阿吉必信息技术有限公司 Key backup and recovery method and device for block chain wallet
CN112712357A (en) * 2020-12-30 2021-04-27 普华云创科技(北京)有限公司 A private key management method and system for multi-institution, multi-chain, multi-currency and multi-account
CN112865971A (en) * 2021-03-29 2021-05-28 中信银行股份有限公司 Private key generation method and device, electronic equipment and computer readable storage medium
CN113141401A (en) * 2021-04-20 2021-07-20 普华云创科技(北京)有限公司 Multi-chain construction method and system based on master chain
CN113505280A (en) * 2021-07-28 2021-10-15 全知科技(杭州)有限责任公司 Sensitive key information identification and extraction technology for general scene
CN114189388A (en) * 2021-12-17 2022-03-15 中国电子科技网络信息安全有限公司 A consortium chain key management system and method
CN114666057A (en) * 2022-02-09 2022-06-24 青岛海尔电冰箱有限公司 Block chain-based account management method and computer-readable storage medium
CN114900284A (en) * 2021-03-29 2022-08-12 北京融蚁科技有限公司 A method for generating SM2 key based on mnemonic

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474424A (en) * 2018-12-17 2019-03-15 江苏恒宝智能系统技术有限公司 Block chain account cipher key backup and method, the system of recovery

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474424A (en) * 2018-12-17 2019-03-15 江苏恒宝智能系统技术有限公司 Block chain account cipher key backup and method, the system of recovery

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112001717A (en) * 2020-10-27 2020-11-27 四川泰立科技股份有限公司 Method, system and storage medium for calculating encryption currency of digital television
CN112291355A (en) * 2020-10-30 2021-01-29 上海阿吉必信息技术有限公司 Key backup and recovery method and device for block chain wallet
CN112291355B (en) * 2020-10-30 2022-09-09 上海阿吉必信息技术有限公司 Key backup and recovery method and device for block chain wallet
CN112712357A (en) * 2020-12-30 2021-04-27 普华云创科技(北京)有限公司 A private key management method and system for multi-institution, multi-chain, multi-currency and multi-account
CN112865971A (en) * 2021-03-29 2021-05-28 中信银行股份有限公司 Private key generation method and device, electronic equipment and computer readable storage medium
CN114900284A (en) * 2021-03-29 2022-08-12 北京融蚁科技有限公司 A method for generating SM2 key based on mnemonic
CN112865971B (en) * 2021-03-29 2023-01-31 中信银行股份有限公司 Private key generation method and device, electronic equipment and computer readable storage medium
CN113141401A (en) * 2021-04-20 2021-07-20 普华云创科技(北京)有限公司 Multi-chain construction method and system based on master chain
CN113505280A (en) * 2021-07-28 2021-10-15 全知科技(杭州)有限责任公司 Sensitive key information identification and extraction technology for general scene
CN113505280B (en) * 2021-07-28 2023-08-22 全知科技(杭州)有限责任公司 Sensitive key information identification and extraction technology for general scene
CN114189388A (en) * 2021-12-17 2022-03-15 中国电子科技网络信息安全有限公司 A consortium chain key management system and method
CN114666057A (en) * 2022-02-09 2022-06-24 青岛海尔电冰箱有限公司 Block chain-based account management method and computer-readable storage medium

Also Published As

Publication number Publication date
CN110838912B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
CN110838912B (en) Block chain-based key management method, device, equipment and computer medium
US9300636B2 (en) Secure data exchange technique
US9485096B2 (en) Encryption / decryption of data with non-persistent, non-shared passkey
JP6840692B2 (en) Computer system, connection device, and data processing method
US20150256336A1 (en) End-To-End Encryption Method for Digital Data Sharing Through a Third Party
CN114073037B (en) RLWE compression and imperceptible expansion of plaintext
CN110048833B (en) Electric power business encryption method and device based on quantum satellite key network
CN115603907A (en) Method, device, equipment and storage medium for encrypting storage data
CN112926075A (en) SM9 key generation method, device, equipment and storage medium
CN107070896B (en) Safe and efficient block chain network customized login method and safe reinforcement system
CN106888213B (en) Cloud ciphertext access control method and system
CN110443069B (en) Method, system and equipment for protecting privacy of mobile social network
CN109274659B (en) Certificateless online/offline searchable ciphertext method
CN112398646B (en) Identity-based encryption method and system with short public parameters on ideal lattices
WO2007123224A1 (en) Method of generating secure tickets for a new secure group, method of secure group communication, computing device having a recording medium, and network system
US11451518B2 (en) Communication device, server device, concealed communication system, methods for the same, and program
US11146594B2 (en) Security incident blockchain
US20160241524A1 (en) Widely distributed parameterization
CN110493212A (en) A kind of general purpose mail End to End Encryption method
CN114398651A (en) Secret data sharing method and distributed system
KR20220086311A (en) Method and apparatus for mnemonic words backup of hierarchical deterministic wallet
CN111224777A (en) SDN network multicast member information encryption method, system, terminal and storage medium
US9325674B2 (en) Privacy system
US12278808B2 (en) Securing group updates over hypertext transfer protocol
Karlita et al. Hillmail: a Secure Email System for Android-Based Mobile Phone Using Hill Cipher Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant